| rfc9728v3.txt | rfc9728.txt | |||
|---|---|---|---|---|
| skipping to change at line 118 ¶ | skipping to change at line 118 ¶ | |||
| other cases, it may be dynamically discovered; for example, a user | other cases, it may be dynamically discovered; for example, a user | |||
| could enter their email address into an email client, the client | could enter their email address into an email client, the client | |||
| could perform WebFinger discovery [RFC7033] (in a manner related to | could perform WebFinger discovery [RFC7033] (in a manner related to | |||
| the description in Section 2 of [OpenID.Discovery]) to find the | the description in Section 2 of [OpenID.Discovery]) to find the | |||
| resource server, and the client could then fetch the resource server | resource server, and the client could then fetch the resource server | |||
| metadata to find the authorization server to use to obtain | metadata to find the authorization server to use to obtain | |||
| authorization to access the user's email. | authorization to access the user's email. | |||
| The metadata for a protected resource is retrieved from a well-known | The metadata for a protected resource is retrieved from a well-known | |||
| location as a JSON [RFC8259] document, which declares information | location as a JSON [RFC8259] document, which declares information | |||
| about its capabilities and optionally, its relationships to other | about its capabilities and, optionally, its relationships with other | |||
| services. This process is described in Section 3. | services. This process is described in Section 3. | |||
| This metadata can be communicated either in a self-asserted fashion | This metadata can be communicated either in a self-asserted fashion | |||
| or as a set of signed metadata values represented as claims in a JSON | or as a set of signed metadata values represented as claims in a JSON | |||
| Web Token (JWT) [JWT]. In the JWT case, the issuer is vouching for | Web Token (JWT) [JWT]. In the JWT case, the issuer is vouching for | |||
| the validity of the data about the protected resource. This is | the validity of the data about the protected resource. This is | |||
| analogous to the role that the software statement plays in OAuth | analogous to the role that the software statement plays in OAuth | |||
| Dynamic Client Registration [RFC7591]. | Dynamic Client Registration [RFC7591]. | |||
| Each protected resource publishing metadata about itself makes its | Each protected resource publishing metadata about itself makes its | |||
| skipping to change at line 804 ¶ | skipping to change at line 804 ¶ | |||
| authorization server or the client. | authorization server or the client. | |||
| The ways to determine the appropriate authorization servers to use | The ways to determine the appropriate authorization servers to use | |||
| with a protected resource are, in general, application dependent. | with a protected resource are, in general, application dependent. | |||
| For instance, some protected resources are used with a fixed | For instance, some protected resources are used with a fixed | |||
| authorization server or a set of authorization servers, the locations | authorization server or a set of authorization servers, the locations | |||
| of which may be known via out-of-band mechanisms. Alternatively, as | of which may be known via out-of-band mechanisms. Alternatively, as | |||
| described in this specification, the locations of the authorization | described in this specification, the locations of the authorization | |||
| servers could be published by the protected resource as metadata | servers could be published by the protected resource as metadata | |||
| values. In other cases, the set of authorization servers that can be | values. In other cases, the set of authorization servers that can be | |||
| used with a protected resource can by dynamically changed by | used with a protected resource can be dynamically changed by | |||
| administrative actions or by changes to the set of authorization | administrative actions or by changes to the set of authorization | |||
| servers adhering to a trust framework. Many other means of | servers adhering to a trust framework. Many other means of | |||
| determining appropriate associations between protected resources and | determining appropriate associations between protected resources and | |||
| authorization servers are also possible. | authorization servers are also possible. | |||
| 7.7. Server-Side Request Forgery (SSRF) | 7.7. Server-Side Request Forgery (SSRF) | |||
| The OAuth client is expected to fetch the authorization server | The OAuth client is expected to fetch the authorization server | |||
| metadata based on the value of the issuer in the resource server | metadata based on the value of the issuer in the resource server | |||
| metadata. Since this specification enables clients to interoperate | metadata. Since this specification enables clients to interoperate | |||
| End of changes. 2 change blocks. | ||||
| 2 lines changed or deleted | 2 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||